Support » Fixing WordPress » Calling all site owners hacked by walangkaji/ Badi etc. – Need some help

  • Resolved rossagrant


    Hi guys!

    I think this has been spreading a fair bit over the last few weeks.

    Today 2 of my sites (on the same server) got hit by a ‘Hacked By Badi’ hack.

    Here’s a detailed look at what it does:

    1. It changes your site title to something like this:
    +ADw-/title+AD4-Hacked By Badi+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    2. It creates a non registered sidebar in your ‘Widgets’ area and inserts a text widget with some script in it which looks like this:

    <script>document.documentElement.innerHTML = unescape([ redacted ]);</script>

    ALL widgets are removed from the sidebar that are currently on your site, so you have no widgets displaying in the front end.

    3. It changes your charset from UTF-8 to UTF 7.

    Now I HAVE NO IDEA how this happens, as no users are created, it doesn’t look like wp-config is altered, no passwords are changed etc.

    Now I have Vaultpress and looking at my logs for the day (it’s been a pretty quiet day on my WP/ Buddypress site) I see that between 9:21am and 10:21am that 33 uploads to the uploads folder were made.

    I can’t be sure, but I don’t think these were uploaded by a user. They weren’t uploaded by me.

    None of the hack’s affects were felt at this time though, as I was online until midday, and a user submitted a Gravity form at about 4:30PM through a widget.

    They wouldn’t have been able to see the widget once the hack was in place.

    Vaultpress shows me that my site title and charset weren’t changed until about 8:30pm, so maybe the uploads and this hack were unrelated.

    I have deleted the text widget created, changed me charset back to UTF-8 through settings—> reading WHICH SHOULDN’T ACTUALLY SHOW THAT OPTION SINCE WP 3.5 (so the script must bring that option back too), and changed my site title back.

    I was just wondering if those who have experienced this would post a list of the plugins they use.

    We can then cross check and see if there is a plugin flaw causing this.

    It looks like an SQL injection, but I have no idea how they work.

    Seems a bit too widespread to be a host issue perhaps.

    I really don’t know, but if we put our heads together, we can hopefully get to the bottom of it.

    I have Securi on this too.

    Please pitch in!

Viewing 15 replies - 16 through 30 (of 86 total)
  • Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    Rossagrant, I am in the same boat. Quit my dull job to take on wordpress development full time to support my family. I don’t know why somebody would do something like this. My 3 year old is trying to get my attention to play with him and I CANT BECAUSE of this incident.

    Whatever… Thank you for the info though. I need to know about Vulnerabilities too. My livelihood is on the line also.

    My Clients are asking me why somebody would do this… What is the motivation behind hacking like this?

    Thank you Jan!

    Not sure Dev,

    I though the protocol on this kind of stuff was to let the core team know at WP with a ‘we’ll put this out in the wild in x days’ kind of thing.

    I still don’t know for sure if it’s a server side thing(very widespread across loads of different hosts) or a core WP thing.

    I have spoken to a few site owners and can’t see a plugin correlation, so it’s either WP or servers.

    Rossagrant; do you mean UTF-.. in the style.css?
    I am running WP3.5

    No UTF-8 is the charset you need to set your database to in order for it to display some characters correctly.

    UTF-7, which the hack sets it too allows for code to be passed through the DB and isn’t good from a security aspect.

    From what i found with my sites, if you go into the Settings—>Reading screen in the WP dashboard BEFORE you delete Badi’s text widget with his script in, then you will see an option to set the charset back to UTF-8.

    If you delete the script then that option disappears and I guess you will have to set it through PhpMyAdmin.

    The option was taken out of the dashboard in WP 3.5.

    This hack seems to reinstate it until you delete the script found in the text widget that is also created upon the hack getting into your site.

    OK, unfortunately I don’t understand where to change UTF-7 (I use Cpanel)

    When I go to my Cpanel and select PhPadmin, the same hack screen from Badi appears…. does this input help?

    Klap, the UTF option should be in your WP dashboard, not in CPanel.

    Do you still see the text widget in the backend of WP in the Appearance—>Widgets section.

    It will be under a heading down the page that says unregistered sidebar?

    Don’t delete it just yet, but see if it’s there.

    No, no UTF option under dashboard and no text widget (only Fancy text which I bought.
    Yhe strange thing is that my widget page keeps loading and my sidebar dissappeared

    The text widget won’t be in one of your sidebar areas, it will be in a long panel under the list of widgets on the LEFT.

    It will be in an unregistered sidebar.

    If it’s not, I’m not too sure, that’s just what I experienced.

    no nothing there, also no UTF under dashboard….

    Not too sure exactly what has gone on there then. Is yous ite title still messed up? Change it back.

    Are you showing weird characters on your site. Try typing a £ sign and see what it displays as. Are you definitely set to UTF-7?

    Just notice that my hosting previder helped me out with a backup.
    Caracters appear normally
    I don’t know what Charset I use – the Style.css says Charset UTF-8 though…

    Klap if £ signs appear normally you are good to go.

    That backup will have cleared out the hack I guess.

    Keep a close eye on things though.

    Sure, still a problem after the hack with te widget page – sidebar is completely dissappeared and site keeps loading AND when I select phpMYadmin in Cpanel the screen of Badi appears – no way to acces phpMyadmin…..

Viewing 15 replies - 16 through 30 (of 86 total)
  • The topic ‘Calling all site owners hacked by walangkaji/ Badi etc. – Need some help’ is closed to new replies.